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ABSTRACT 


In recent years, there has been a significant increase in demand for hospital information systems in 
healthcare institutions. Data security, on the other hand, is a significant concern with regard to using health 
information systems. The purpose of this research is to examine the security risk assessment of medical 
information systems. This study involves a systematic evaluation of the literature to provide a complete 
overview of previous articles and research on Security Risk Assessment in Medical Information Systems. 
For this research, a qualitative and descriptive research design was applied. Scientific literature, as well as 
recent articles from popular publications, will be evaluated and analyzed in depth in accordance with the 
study design. A review of the literature enables a thorough comprehension and knowledge of this subject, 
Security Risk Assessment in Medical Information Systems. It provides the background for the research and 
provides an overview of the study's relationship to a large field of study. The main objective of this 
research has to analyze and discuss the findings of the literature review, and to evaluate the risks and 
challenges. Moreover, each study was examined in terms of methodology, threats addressed, and suggested 
mitigations. Additionally, the study discussed the systematic review's gaps and major neglected concerns, 
as well as future directions in risk assessment in medical information systems. 
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1. INTRODUCTION 
pose a danger to cyber security, which might 


Several studies have been conducted on 
the possible risks of cyberattacks, particularly in 
healthcare organizations. There are, however, a 
number of unknown risks that might threaten the 
privacy of healthcare resources and information, 
in healthcare centers. A risk assessment is a 
procedure in which people identify dangers and 
decide the most effective means of avoiding or 
controlling those threats. Healthcare information 
security mainly depends on risk assessment. 
Regardless of their size, every medical center 
must assess the risks and provide an up-to-date 
detailed record of the performance. A wide range 
of internal and external security risks, such as the 
exploitation and risks of important information, 
affect the security of organizations today [1]. 
Natural catastrophes and human errors may also 


result in serious outcomes [2] 

Protecting personal information 
security, maintaining information integrity, and 
securing system reliability all conform to the 
requirements of health data security. Hospitals 
and other healthcare organizations may face 
legal challenges or economic damages if they fail 
to address any of these issues [3]. Improved 
information privacy, on the other hand, might 
lead to improved access to healthcare records by 
patients and healthcare professionals equally [4]. 
Illegal technology and software used for 
communication and crimes are the most 
prevalent dangers to data security. Rejected 
workers may pose a new danger to information 
security, thus the level of permission provided to 
these individuals should be limited. Hacker, 
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privacy breaches, and Computer viruses may 
also compromise the security of the information 
[5]. Therefore, it is important to recognize the 
cybersecurity risks in healthcare in order to be 
allowed to deal with the possible consequences 
in the future. A risk management plan is 
essential in order to avoid problems caused by a 
range of security risks [6]. 

Evaluating security risks, estimating the 
likelihood and impact of possible threats, and 
finally, evaluating the threats to identify the 
proper level of practice and policies required for 
successful management are some of the ways for 
evaluating cybersecurity risks [7]. For healthcare 
organizations, risk assessment is necessary to 
correctly manage resources, plan human resource 
management, comply with their global 
regulatory requirements, and protect their 
property and patients’ data [8]. The goal of this 
study is to assess the information security risks 
in medical information systems. 


1.2 Motivation 
Comparable to other sectors, hospitals 

are also susceptible to threats. At the same time, 
healthcare organizations are urged to adopt 
electronic health records and to share them with 
one another. They are particularly susceptible to 
data threats because of the significance of their 
healthcare information [9]. Hence, healthcare 
organizations have a challenge in securing 
healthcare information. Therefore, it is crucial to 
explore this subject and look for solutions to 
lower these threats. It is important to examine the 
types of threats, the strategies employed, and 
how to defend against these risks. Thus, this 
study will focus on the most important issues. 

The main problem affecting hospitals 
today is the exploitation and threats of patient 
information, both of which threaten the security 
of the organizations [10]. Personal data security, 
data management, and system reliability are 
primary needs of health data security. Hospitals 
and other healthcare organizations may suffer 
social or legal consequences if they ignore these 
risks. Because of the significance of their 
medical records, they are particularly vulnerable 
to security threats. Hence, healthcare 
organizations have a problem with the protection 
of healthcare data. Thus, this study must present 
the risk assessment of information security in 
medical information systems and how people 
with less experience may protect themselves 
from these cyberattacks 


The scope of this research is mainly on 
the assessment of information security threats of 
medical information systems and how these risks 
might be mitigated by people. The findings of 
the study can be applied to healthcare 
organizations to improve the efficiency of the IT 
departments and the security of patient data. The 
research will encourage people to protect 
themselves by focusing on the risks associated 
with information security. It describes the 
measures hospitals have taken to improve their 
strategies to provide better data security and 
patient identification. The main objectives of the 
study including: 


1. To review the Information Security Risk 
Assessment for medical information systems. 

2. To analyze the information security threats, 
solution and assessment for medical information 
systems. 


2. LITERATURE REVIEW 


This sections presents the literature of 
Security Risk Assessment in Medical 
Information Systems. An IoT risk assessment 
framework was suggested by [11] as a step-by- 
step procedure for IoT risk assessment in a 
healthcare system. DEMATEL lIoT Threat 
Assessment Technique was used to construct the 
suggested risk control framework for IoT. On the 
basis of a particular hospital's recent use of IoT 
technology, that research was conducted. In a 
survey with selected participants from the health 
center, it was found that specific case study did 
not have a developed IoT risk management 
framework because of the ad hoc IoT 
deployment method. Healthcare information 
is not adequately protected in the research study, 
which also has various alternate work processes. 
Three IoT specialists and two IT health providers 
assessed the suggested model using the System 
Usability Score (SUS) and gave it a Good 
Usability Score, indicating that it may be used to 
control healthcare IoT risks. Each stage of the 
risk assessment must be protected by system 
security organizations to guarantee that solutions 
are being followed. Healthcare's important 
services might hold down development and 
improvement. Risk management teams must 
work effectively to keep the service operating 
smoothly. Assessment may assist administrators 
to understand what adjustments need to be done 
to maintain the essential risk management within 
the organization, as well as identify technical 
controls that are lacking [12]. 
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Another research by [13] examined a 
strategy for a  standardizedrisk assessment 
library and an example use case that relates the 
findings of a risk web application risk 
assessment to the developed standardized library. 
An open-source risk assessment systematic 
framework was developed as a result of this 
study. An open-source risky web application was 
used to show the advantages of using a standard 
risk management framework. According to the 
results, this use case demonstrates how well the 
framework may be used to standardize language 
for the risk management process and thereby 
improve the overall system. Strategic planning 
and assessing risk across organizations is 
inefficient if each member in __ the 
organization adopts their own personal language 
to explain risk components. This kind of risk 
assessment need has yet to be addressed by a 
standardized library. This study describes a 
standardized framework and provides an 
example of how it may be put to use [14]. 

At Moi Teaching and Referral Hospital, the 
research by [15] introduced a new way of 
protecting the security of the Hospital 
Information System against the risk of the 
patient data breach. For a secure electronic 
health record, this framework offers an 
organized system for implementing data security 
and the essential strategies, methods, policies, 
and technology to assure privacy and data 
security. The findings also show that most 
operational safety precautions, such as 
regulations and guidelines, are in place and help 
more to data security. Mostof the medical 
records workers seem to believe that the privacy 
policy and restrictions in place are effective. In 
contrast to organizational information security, 
the most of staff members disagreed on 
technological and _ organizational — security 
requirements. 

Risk management for a patient's information 
technology (IT) security system was investigated 
by [16]. The model was implemented by 
examining existing information security risk 
analysis standards and guidelines. Important 
strategies like Risk Evaluation and Security Risk 
Evaluation were included in the risk evaluation. 
The system was able to investigate and assess the 
security risk associated with the hospital's 
information management system based on the 
findings of the research at selected hospitals. 
This system was capable of predicting many 
exploitation scenarios in order to identify 
security breaches and develop a_ standard 


analysis. An evaluation of models found that 
they were capable of changing the levels of data 
security in an accurate representation of 
healthcare facilities. Additionally, the prototype 
system was able to analyze a risk management 
plan with solutions for improving security [16]. 

Flexible risk management frameworks for 
healthcare systems were developed by [17] in the 
area of management reliability. In addition, a 
strategy for creating a successful continuity plan 
was provided. Risk analysis of various kinds of 
security systems in various organizations may be 
achieved by obtaining the necessary information 
using the presented strategy. Implementing a 
statistical method for allocating resources in the 
face of potential threats might be regarded as a 
future research. This research did not consider 
probable correlations between impact variables 
in order to keep the risk assessment process from 
becoming more difficult. Furthermore, these 
interactions may be explored using an effective 
approach such as DEMATEL or fuzzy cognitive 
maps [17]. 

For the Internet of medical things (loMT) 
[18] proposed a taxonomy of security and 
privacy issues (S&P). The _ technique 
for quantifying IoMT risk and demonstrating risk 
assessment in two IoMT devices were also 
discussed. By allowing IoMT participants to 
evaluate and assess possible S&P risks, this 
effort intends to raise S&P knowledge among 
IoMT participants. S&P of IoMT is significantly 
more challenging because of its vulnerability and 
importance in hospitals, which makes it even 
more challenging. Patients’ security and even 
health might be concerned if loMT does not have 
adequate S&P in order. Efficient security 
strategies may be designed with the taxonomy's 
aid in comprehending the IOMT S&P concerns. 
There may be novel or unknown risks and 
attributes that need to be addressed in the future 
because of the fast advancement of technology 
and hacking abilities. Based on the taxonomy, 
researchers came up with a risk assessment 
method. The suggested risk assessment intends 
to aid users in understanding and measuring 
security in IOMT so that they may make better 
decisions. Researchers were planning to create 
more measures to help in the quantification of 
IoMT S&P. Researchers anticipate that their 
study will aid in the adoption and development 
of safe IoMT, so that patients and healthcare 
professionals may benefit greatly while posing a 
low risk [19]. 
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[20] Conducted an evaluation of the 
Health Information System of hospitals affiliated 
with a university of medical sciences in western 
Iran. All healthcare departments have been 
connected to the Health Information System 
(HIS) by a Local Access Network (LAN). It is 
critical to design and operate this technology 
while keeping in mind the demands of users, 
existing procedures, and 
organizational structures. The effectiveness of 
these systems depends on the ability to adjust 
HIS to the specific demands of system 
customers. Information from both medical and 
non-clinical sectors of healthcare institutions was 
collected using a five-point Likert scale survey. 
Descriptive statistical analysis was employed to 
analyze the data in SPSS program. Even though 
all health care facilities acquired their software 
from a single software firm, the level of user 
experience with different components of systems 
was practically thesame, according to the 
findings. It was recommended that web-based 
HIS capabilities, international database 
information, and software module adaptability be 
implemented as the most significant system 
improvement [21]. 

In a research, [22] proposed an assessment 
tool for security threats. A total of 125 
publications published between 1995 and May 
2014 were used to develop this analysis. 
Depending on the size of the company, risk 
assessment approaches might be difficult to 
choose. Since the previous taxonomy does not 
take into account or apply significant criteria in 
risk assessment created by new technological 
developments or the level of awareness of a 
hacker, numerous risk-based solutions have been 
proposed. An information security policy 
included the most important aspects of risk 
management, according to _ researchers. 
Organizations may use the novel risk 
management taxonomy to perceive risk 
assessment by assessing different new ideas, as 
well as choosing an appropriate method for 
conducting a risk assessment. Furthermore, this 
taxonomy will offer up potential opportunities 
for study in the rapidly expanding area of risk 
evaluation. This study's taxonomy is a step 
forward in terms of establishing high-quality 
information security risk assessment [22]. 

[23] analyzed the private financing initiative 
(PFI) in the hospital industry's developments and 
risk evaluation. The research evaluated 
secondary information and conducted interviews 
with different individuals in large healthcare PFI 


research s in order to have better understanding 
of recent advancements in healthcare PFI and 
risk assessment in_ healthcare programs. 
According to the findings, the quantity, capital 
growth, and scale of healthcare research s using 
PFI are all on the rise. Risks control strategies of 
various degrees of severity were used in the 
hospital PFI research. It appears that the primary 
risk assessment method used was experienced, 
whereas prevention was initially examined 
before assessing and assigning any remaining 
risks. Additionally, the usage of "Risk Warning" 
tools, such as risk matrix and assessments, 
helped to identify hazards. There seems to be a 
strong emphasis on security and contracting as 
risk management tools among all players. Risk 
management strategies employed in PFI research 
s, although general, have not yet been shown to 
be applicable for this kind of research. It is 
crucial that more analysis be carried out to 
determine the present degree of risk management 
strategies and the level to which these strategies 
are adequate for complicated hospital PFI 
research s [24]. 

The adoption of electronic healthcare systems 
in health facilities has risen significantly in many 
countries. However, the most significant 
problem with electronic healthcare systems 
utilization is the security of data. 
Research conducted by [25] evaluated the risk 
management of electronic healthcare systems in 
hospital services with respect to information 
privacy. A qualitative and cross-sectional 
approach is used in this experimental analysis. In 
Iran, 551 hospitals were surveyed for this study. 
The Health ministry in Iran issued an intense 
survey to all healthcare institutions in Iran to 
evaluate the security risk planning and 
implementation at the concerned hospitals, based 
on a study of literature, specialists’ views, and 
investigations at medical centers. According to 
the Iran Healthcare Assessment Criteria, 69% of 
the hospitals in the study implement 
an information security management system. 
Identifying and evaluating risks have all been 
unorganized processes at some medical facilities. 
The investigated hospitals lack a systematic 
strategy to risk assessment [25]. 

In a study, [26] presented measures to protect 
information acquired by the industry, as well as 
to enable faster and more secure transaction 
records. The secondary data was obtained from 
relevant sources. Primary data were obtained 
using an internet search engine. Information was 
used to conduct the quantitative and qualitative 
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analysis that was completed. For this study, the 
collected data were analysed quantitatively. For 
this study, the collected data were analysed 
quantitatively. Cybersecurity instances have 
surged despite the health sector's adoption of 
electronic healthcare and security. Cybersecurity 
cases were studied in an effort to identify 
characteristics that may impact the number of 
breaches. In light of the present crisis, it was 
concluded that the healthcare industry had 
prospects in the electronic healthcare sector. 
Cybersecurity has been a concern since 
cyberattacks have stolenpersonal data and 
taken severe efforts to minimize the same [26]. 

Data protection attitude and risk assessment 
across healthcare professionals were evaluated 
by [27]. The information technology security 
climatic change indicator, designed and verified 
on two proposed datasets, was based on the 
organizational context literature and has been 
intended to influence employee behaviour. As a 
part of the investigation, 4 healthcare workers 
(clinical nurse assistants, orthodontists, 
pharmacists, and medical assistants) were 
interviewed. The Cybersecurity Context 
Measure, data security intention, and data 
security behaviors were assessed using Likert- 
type questions. The Data Security Context 
Measure was shown to be associated with higher 
levels of security-related motivation and 
behaviour among employees. Health care 
workers reported a more pleasant working 
environment and more positive attitudes about 
their colleagues than did pharmacists. The 
researchers came to the conclusion that security 
breaches would probably remain in the near 
future. Considering insecurities about 
cybercriminals, most of the threat is caused by 
irresponsible and/or criminal employee actions. 
Change in behavior may be achieved via an 
organizational climate strategy. Research 
has shown that a company's data security policy 
affects employee behavior, therefore it may be 
useful in influencing attitudes about data 
protection and privacy [28]. 

Using fuzzy analytic hierarchy processes, 
[29] evaluated web-based healthcare information 
framework potential risks. Each and every 
component of useable security was examined in 
detail by the researcher. When designing a health 
online system, this will assist clinicians in 
improving both usability and cybersecurity. The 
hospital digital system's efficiency and security 
were examined in this study. Furthermore, the 
opinions of 101 web development professionals 


and academics on six security risk indicators 
were considered. Fuzzy AHP was used to 
calculate the weight of each security element 
based on this judgment. According to the 
findings of the research, user experience has to 
be the most important factor to consider when 
assessing security risks. Developers of healthcare 
web applications must put an emphasis on user 
experience if they want to achieve optimum 
system operations [29]. 

In a study, [30] evaluated the university 
hospital systems' organizational, technological, 
and digital security to determine their current 
state of information systems. Information 
systems professionals (n=36) from healthcare 
institutions linked with the top-ranked healthcare 
centers (University A and University B) took 
part in this research study. A questionnaire was 
used to collect the information needed to 
complete the study. To ensure the questionnaire's 
accuracy, professionals assessed its internal 
consistency and assessed its consistency using 
Cronbach's coefficient alpha (a=0.75). 
Organizational protections were found to be set 
at a medium level, according to the findings. 
Information technology administrators assessed 
the physical and technological protections at a 
very high level. The findings show _ that 
administrative protections were given a medium- 
security assessment out of three possible options. 
Implementing security rules, putting in place 
user access frameworks, and training users have 
all been suggested to increase cybersecurity [30]. 

In a research, [31] conducted field research 
to investigate the risk variables associated with 
the implementation of operating systems in a 
medical IT system and developed a risk 
management system and_ evaluations for 
identifying potential risks. In this study, the 
primary goal is to develop an information 
security risk management system for 
the healthcare sector. In this study, researchers 
have discussed possible risks that might occur at 
any moment, conducted risk assessments at the 
university medical center, and designed 
emergency plans. As a result, a risk management 
plan for the healthcare sector on a worldwide 
scale was predicted. IT strategy assessments for 
healthcare institutions and their users were 
evaluated to detect sensitivities, risks, 
weaknesses, and concerns that affect the 
healthcare IT system in the risk assessment 
process. The identified threats have been 
assessed and controlled by presenting applicable 
control plans and suggestions to prevent or limit 
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the potential risks in the healthcare system. The 
IT system can be developed and threats may be 
predicted in the future and controlled with good 
emergency plans based on field research and 
risk assessments [31]. 

Healthcare information systems (HIS) and 
security mechanisms for patient, institution, 
pharmacy, and health insurer data transfer were 
proposed by [32]. This is implemented by a 
comprehensive look at health information 
systems' existing security problems, as well as an 
introduction to Health Level 7 (HL7). Using 
HL7 communication issues as an example, 
researchers demonstrate how to conduct a 
simulated attack. An Autonomic Security 
Management plan was designed to secure a HIS 
against threats from both the inside and outside 
in a comprehensive manner. Real-time 
monitoring of a HIS' efficiency as possible, and 
the attack assessment function can forecast 
threats that might affect HIS operations. 
Research with security systems aimed at 
protecting the confidentiality and security of 
electronic health records has been reported. The 
ASM approach's attack control system identified 
the most suitable protective methods to restore 
the affected HIS to standard with little or no 
human interaction. It was concluded that the 
emerging software offered continuous real-time 
monitoring and control systems to evaluate 
effectively system risks, present security 
alerts, and protect the HIS from possible attacks 
by executing preventative measures. As a result, 
it can also identify and respond to threats that 
have avoided the system's security. To get the 
HIS back to normal, the best protections will be 
chosen based on their reliability [32]. 

A study by [33] examined the security of 
hospital systems in EU nations ranging from the 
medium to the low-income classes. An electronic 
anonymized questionnaire was used to collect 
data from ICT (information and communication 
technology) organizations and medical 
practitioners participating in the study. In 2019, a 
large healthcare in Portugal, a health clinic in 
Romania, and a health area in Greece all 
participated in the survey, with 53.6 percent and 
6.71 percent clinical outcomes, respectively, for 
ICT and medical experts. The results show the 
need of establishing separate security 
organizations to evaluate facilities and behaviors, 
as well as the need for continual information 
security awareness initiatives. By analyzing the 
findings, researchers may better understand the 
actions taken at healthcare facilities and so 


enhance cybersecurity protection while lowering 
exposure to risk [33]. 

In a study, [34] analyzed healthcare data 
security to obtain a better grasp of current 
advances in health data security development. 
From 2005 to 2015, researchers conducted a 10- 
year study of articles published in Korean 
publications on "medical information." For each 
fiscal year, researchers also examined these 
journal publications, which were classified into 
two categories: literary research and empirical 
research, with additional divisions based on 
topics and issues. In the conclusion, 17 (35.4 
percent) of these publications focused on rules, 
organizations, and programs, which was the most 
prevalent kind of study. Researchers discovered 
that articles on medical specialists were the most 
common in the literature, while studies of 
information security professionals and hospital 
professionals were the most common in 
empirical studies. Risk assessment in hospital 
information systems might improve from further 
study in terms of _ social perception, 
organizational development, and technological 
advancements, researchers suggested [34]. [35] 
Conducted an evaluation of international health 
vulnerabilities as part of the biological relation to 
risk management program. A multi-sectoral, 
interdisciplinary team of eight experts led to the 
evaluation process, which includes information 
assessments, interviews, focus groups, and on- 
site evaluations. The system's objective was to 
improve the strategic planning for Biological 
Threat Reduction programs (BTRP) and to 
provide quantitative assessment for monitoring 
partner countries’ skills during BTRP 
participation. In over 25 countries, the approach 
has been used to develop a framework for 
identifying and assessing system-wide risk 
mitigation and management strategies, as well as 
performing periodic evaluations of their 
performance. According to the finding of this 
study, the adoption of a standard and 
comprehensive methodology has been effective 
for the identification of effective and sustainable 
initiatives focused on achieving both local as 
well as worldwide health security objectives 
[35]. 

In a_ study, [36] evaluated the risk 
evaluation at social protection facilities of 
Isfahan Province in the event of an emergency 
by using the healthcare quality index. The 
descriptive-analytical research was carried out in 
2015 in Isfahan Province Social Insurance 
Healthcare facilities utilizing a cross-sectional 
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approach. The Healthcare Quality Index 
Standardized Survey was performed to explore 
the risk evaluation. It was divided into two parts, 
one including basic information on health 
facilities and the other containing 145 indicators 
in systemic, operational, and developmental 
categories. Observations and interviews with the 
system's managers were used to complete the 
survey at each hospital. The approach of 
weighting was focused on the healthcare quality 
factor, which ranged from 0 to 2. Excel was used 
to examine the data. Findings from the safety 
index in the three examined healthcare 
institutions suggested that the security level in 
each of them was average. Although their 
condition is not serious, they need planning and 
management of important safety precautions, and 
these healthcare institutions required important 
short-term risk control strategies [36]. 

[37] Suggested a technique for conducting 
privacy impact assessments (PIA) and focuses on 
assessing organizational features and 
incorporates a set of well-defined indicators as 
input, proving its application to two health 
information systems with contrasting features. 
Using measurements and _ taking into 
consideration the unique characteristics of the 
organization, this research proposed a PIA 
technique. The system's effectiveness has been 
shown on two distinct health information 
systems. With the help of this tool, 
organizations may better assess the severity of 
possible cybersecurity threats and, as a result, 
choose the most effective security measure to 
protect the information they gather and store. 
Outcomes of the suggested PIA approach show 
that each security standard has been significant 
to the institution's data. To calculate the 
reliability level, the approach used takes into 
consideration the potential consequences of data 
privacy and security breaches on a given data 
collection, the weighting of each security 
standard, and the unique features of each 
organization. This indicated that the 
organization may make an accurate assessment 
regarding the security protections and privacy 
enforcement methods to adopt in order to 
appropriately protect its information based on the 
results of the PIA [37]. 

A study conducted by [38] evaluated 
healthcare information security risk assessments. 
This research was nearly done in 2014. There 
were 27 participants total, all of them were 
health service IT professionals. A survey with a 
variety of open and closed questions was used in 


the study. Test-retest correlation (r =0.78) was 
used to examine the accuracy of closed survey 
questions. The fire was found to be a significant 
risk factor for data security, according to the 
study's findings. Low-probability risk indicators 
included possible risks to people or the 
surrounding environment. Low-probability risk 
indicators included possible risks to people or 
the surrounding environment. The 
implementation of technological protections in 
healthcare institutions was the most common, 
contrasted to organizational and_ physical 
protections, according to the findings of the 
study. Immediate corrective steps have been 
needed to address high potential risk factors, 
according to the findings. As a result, the 
underlying problems of such threats must be 
found and addressed before any negative 
consequences may be experienced [38]. 

In a study, [39] discussed the current state of 
the art in assessing the cybersecurity threats 
associated with Supervisory Control and Data 
Acquisition systems (SCADA). Twenty-four 
approaches of risk assessment designed for or 
used in SCADA systems were selected and 
examined in depth. Afterward, researchers 
address the approaches’ purpose, application 
area, phases of risk assessment targeted; major 
risk approaches addressed; impact assessment; 
resources of probability statistics; assessment, 
and tool assistance. An _ understandable 
classification scheme for SCADA cybersecurity 
evaluation models was proposed as a result of 
the analysis. In addition, researchers 
identified five research difficulties that face the 
area and suggest possible solutions. In spite of 
the fact that several risk assessment 
methodologies for SCADA systems 
are available, additional study and many 
improvements have been needed. To effectively 
manage the perspective organization level of the 
strategic planning of risk, overcome the attack, 
account for human factor and capture and 
formalization of professional — opinion, and 
improve the safety of predictive information in 
information security risk assessment techniques 
for SCADA systems, improvements may be 
made [39]. 

A new interval type-2 fuzzy controller (IT2FIS) 
developed by [40] has been used to improve the 
risk assessment model for information 
technology. There are three sub-models that 
makeup IT2FIS, which include overall 
functionality, which is monitored by 
Functionalities, Motivation and Aiming; the 
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possibility of an attack based on Security 
vulnerabilities; and at last the risk of an attack 
that is assessed by the possibility of an attack 
and the impact of an attack. Researchers were 
able to design and develop a comprehensive 
evaluation of information security risks by 
incorporating three sub-models. In spite of the 
fact that there is a lotof uncertainties in the 
records/knowledge/ knowledge about 
information technology, this technique will have 
an improved ability to anticipate risk analysis of 
data security despite the numerous risks caused 
by the consequences of illegal activities. 
Analyses of statistical data, adapted neuro-fuzzy 
inference system (ANFIS), and Multiple Linear 
Regression hasbeen used to determine the 
model's reliability at the end. In each of the sub- 
cases, researchers have given some quantitative 
data analysis in order to demonstrate the validity 
of the system. For risk-informed judgments, the 
description of risk uncertainty to decision- 
makers is vital, and this research also 
acknowledges the relevance of this issue. In the 
future, the IT2F controller's hardware 
implementation may be studied. It is also 
possible to test the suggested controller's 
applicability for various real-time information 
security opportunists [40]. 

A healthcare information cybersecurity, 
security, and data threat assessment approach 
was evaluated by [41]. It is then compared to an 
infusion system application and examined to 
existing standards and practices to see whether it 
is feasible. Device-related hazards may be seen 
as part of one system, as shown by the analysis 
of frameworks. Security vulnerabilities in 
medical technology have been on the rise since 
the introduction of internet connections. This 
study presented an ISSP risk assessment 
methodology in order to protect health care 
facilities. As far as medical devices are 
concemed, regulatory agencies' best 
practices and standards tend to concentrate on 
either cybersecurity or personal security. These 
organizations seem to be primarily concerned 
with certifying safety-related procedures, and as 
a result, security risks that have a significant 
impact on patient health are mostly ignored. 
Standardized safety and protection risks may be 
evaluated using this framework, which helps 
determine the risk level and _ necessary 
procedures for securing medical devices. Since 
most healthcare device makers do not adhere to 
the Health Insurance Portability and 
Accountability Act (HIPAA) rules, the proposed 


model also offers a method for calculating 
privacy-related threats. The assessment and 
application of the suggested framework by FDA 
specialists should be the focus of future 
study since it will assist reduce healthcare 
industry risks [41]. 

In a research, [42] investigated the role of 
risk assessment in the management of work- 
related illnesses and injuries among hospital 
employees. The goal of this research had to find 
the best way to estimate healthcare risks. A 
comparison of the most often used approaches 
was performed. As many as there have been 
ways to measure patient care quality, none have 
been tailored to the unique challenges of hospital 
operations. This approach was adopted from the 
INCDPM (National Research and Development 
Institute for Labor Protection Bucharest) 
approach and also used to determine the standard 
associated risks for each employment post in 
each department, as well as the overall risk level 
for the health center as a whole. Risks in 
healthcare areas were higher than the average for 
all employees, but it does not surpass 3.50, 
which is considered a reasonable level of 
security for this kind of activity. The ELVIE 
approach was used to analyze the psychological 
hazards. In the future, procedures should be 
improved so that findings may be presented both 
numerically and graphically. It was concluded 
that the advantages of each technique varied. 
ELVIE and SOBANE procedures are simpler for 
executives and managers to understand than the 
INCDPM approach, which gives statistical 
results. In the future, procedures should be 
improved so that findings may be shown in both 
numerical and graphical form [42]. 

A system for risk analysis in health facilities 
was evaluated by [43]. To figure out what the 
users really want, researchers utilized a V system 
planning framework in combination with a 
variety of other methodologies, including as in- 
depth surveys and documentary reviews. To 
solve the present issues, it's important to provide 
specific information on risk assessment's basics. 
The approach researchers developed includes a 
risk assessment framework, explanatory cards, 
and a risk evaluation form to assist organize the 
risk assessment and recording the results, all of 
which are part of the framework. The framework 
was evaluated in various groups using a typical 
situation, and the results were utilized for user 
assessment. An interview-based user assessment 
was done with ten participants and provided 
positive findings. In addition to being used as a 
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learning platform, the model was suggested for 
use in practice. Researchers expect that by 
incorporating it into risk assessments, people 
may arrive at better conclusions and take more 
suitable steps to reduce the risks they face. As a 
result, patient safety and quality of treatment 
might be enhanced [43]. 

In accordance with the ISO 31000 risk 
management concept, [44] assessed the tool's 
advantages and limitations. Stages in the Risk 
Management System include risk assessment, 
which identifies risks, analyses and evaluates all 
possible threats, and implements a_ risk 
management plan. The scientific method has 
developed a number of approaches for evaluating 
potential dangers. There are a number of various 
ways to analyzerisk, and a risk assessment 
framework, also known as the "decision matrix 
risk assessment (DMRA) methodology," is one 
of the most used. Participants in the risk 
assessment process must address a wide range of 
topics, including the selection of the best 
methodological approach, determining — the 
effectiveness of current control mechanisms, 
defining impact-consequences, describing risk 
probability scales, and creating a risk assessment 
matrix. With these concerns in mind, researchers 
have made many suggestions, which are 
particularly valuable when healthcare institutions 
don't provide enough information about risk 
assessments and how to respond to current issues 
[44]. 


3. RESEARCH METHODOLOGY 


A systematic literature review method is 
employed in this study to offer a comprehensive 
analysis of previous papers and research in 
Security Risk Assessment in Medical 
Information Systems. The research design used 
in this study is qualitative and descriptive. I 
investigated some of the current risks associated 
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with Medical Information Systems in particular. 
This research onthe content and context of 
Medical Information Systems threats examines a 
wide range of Medical Information Systems- 
related vulnerabilities in more depth. An 
investigation of numerous sources was carried 
out in order to examine the Medical Information 
Systems vulnerabilities and establish whether or 
not these threats have an adverse effect on data 
security. According to the research design, 
scientific literature, as well as new articles from 
popular publications will be reviewed and 
analyzed in detail. A survey of the literature 
provides in-depth knowledge and understanding 
of this subject, Security Risk Assessment in 
Medical Information Systems. It gives context 
for the research and an overview of how the 
study relates to a broader field of research. The 
analysis of literature enables me to evaluate the 
sources that I used to conduct my research on 
Security Risk Assessment in Healthcare 
Information Systems. 

The study was performed at the 
Purchase Public Library, which used online 
resources such as Google Scholar, Google 
Books, Microsoft Academic, Science.gov, 
PubMed Central, Research Gate, and other 
scientific databases to finish the study. 
Furthermore, I used the Google Chrome Browser 
to do research on security threats that were 
relevant to the subject of my study. Using 
specified search keywords, I conducted searches 
for scientific research and publications, as well 
as relevant articles. Among the relevant 
keywords I used were the following: Data 
security risks in hospitals, Risk assessment, 
Cybersecurity risks, Information security threats, 
Medical data security vulnerabilities and 
Information security risk assessments in 
healthcare sector keywords provided the most 
relevant results for this study. 
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©204,000 results for papers were found 


d ent ifi cation eAfter discarding the duplicated papers, 34057 papers 
remained 


#34000 article rejected 


S creenl ng eAfter screening abstract and title, 57 papers remained 
for the next phase. 


©39 papers selected 


eAfter the full-text evaluation, 18 studies were 
eliminated and 39 papers were included in the 
literature review. 


Figure 1: Graphics for papers selection for literature review 


phase. After the full-text evaluation, 18 studies 


The graphics for different steps of the were eliminated and 39 papers were included in 
selection of papers for literature review is shown the literature review. The distribution of chosen 
in Figure 1. In the first step, 204,000 results for articles by year is shown in Figure 2. I noted that 
papers were found, after discarding the almost 80% of the papers were published 
duplicated papers, 34057 papers remained. In the between the years (2016-2022). 


screening abstract and title, 34000 articles were 
rejected and 57 papers remained for the next 


Distribution of selected papers by year 


M2022 M2021 M2020 M2019 M2018 M2017 M2016 


Figure 2: Distribution of selection papers by year 
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4. RESULTS AND DISCUSSION 


This section will present and discuss the 
results of the literature review, and tables will 
summarize the risks and _ challenges. 
Additionally, the methodology, threats 
addressed, and suggested mitigations were 
included. Additionally, the publication years and 
authors of each research were listed. 
Additionally, the next part discusses the gap 
identified in the systematic review as well as 
future trends in risk assessment in medical 
information systems. 


A notable concern raised in the literature 
was the refusal of most hospitals to employ 
information security risk management, which 
was a subject of discussion for the researchers 
[5-12]. Another key issue discussed in the 
literature was the lack of appropriate, robust 


security and privacy (S&P) in the healthcare 
system. This lack of security and privacy would 
threaten not just patients’ privacy, but also their 
lives [16]. These vulnerabilities have the 
potential to result in a large number of issues 
with the cybersecurity of health information 
systems in the future, if not addressed 
immediately. Thus, the Ministry of Health 
should adopt effective strategies to strengthen 
the risk management of information security in 
healthcare facilities. S&P awareness among 
hospital information systems must be raised in 
future studies via the identification and 
quantification of possible S&P risks. Figure 3 
shows the notable concerns in literature related 
risk assessments in hospital information security 
system, including the refusal of most hospitals to 
employ information security risk management 
(60%) and lack of security and privacy (40%). 


Challenges in literature related risk assessments in 
hospital information security system 


= Refusal of most hospitals to employ 
information security risk 
management 


= Lack of robust security and privacy 
(S&P) 


Figure 3: Challenges in literature related to risk assessment in hospital information security system 


The following Table 1 summarizes the 
major threats and mitigations for information 
security risk assessment programsin the 
healthcare sector that have been identified by 
various research. In addition, the methodology 
was also mentioned according to each study. The 
findings indicated that the most often addressed 


problems and concerns about the cybersecurity 
of medical information systems were privacy 
concems in the first place [20-28]. Furthermore, 
in medical information security systems, risks to 
patient data security, hardware, software, 
integrated technologies, and licenses were all 
prevalent [30-35]. 
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Table 1: Summary Of Different Articles Evaluating Various Medical Security Threats 


Title of article Author Publication | Methodology Addressed threats Suggested 
year mitigations 
Information Zarei & 2016 Descriptive Challenges of Information 
security risk Sadoughi and cross- computerized health Security Risk 
management for sectional information systems Management 
computerized research (CHIS) (ISRM) program in 
health information hospital services 
systems in 
hospitals: a case 
study of Iran 
Security Control Kemboi & 2021 A cross- Technical security Data backup, 
Model for Ronoh sectional threats, physical and temperature 
Electronic Health quantitative administrative security controls, and 
Records survey study threats network services 
design policies offer an 
organized system 
for implementing 
data security 
Security Tritilanunt & 2016 Quantitative Hardware, software, Hospital IT 
Assessment of Surapol research integrated technologies, | Quality 
Information design and licenses threats Improvement 
System in Framework 
Hospital (HITQIF) 
Environment 
Business Motevali 2020 Quantitative Hardware, software, Business 
continuity inspired | Haghighi & research human, network, continuity-inspired 
fuzzy risk Torabi database, and data fuzzy risk 
assessment warehouse risks assessment 
framework for framework (BC- 
hospital FRA) for 
information healthcare systems 
systems 
Security and Alsubaei & 2017 Quantitative Patients data threats, IoMT taxonomy of 
Privacy in the Shiva research lack of proper security security and 
Internet of and privacy on internet privacy issues 
Medical Things: of medical things (S&P) proposed to 
Taxonomy and (loMT), less or no increase the 
Risk Assessment attention to devices, awareness 
their interfaces, and 
applications addressed 
Evaluation of Mirzaei et al. 2019 A cross- Risks related to medical | Creating web- 
Hospital sectional staff, financial based HIS 
Information quantitative administration, health capability, 
System of survey study information developing 
hospitals design management, and multilingual 
Affiliated to a information technology content for 
University of systems, and 
Medical Sciences flexibility of 
in West of Iran software modules, 
purchasing 
software packages 
from software 
developer 
Taxonomy of Shameli- 2016 Quantitative, Vulnerabilities related to | Developing 
Information Sendi et al. qualitative, assets, medical services, | information 
Security Risk hybrid business process security risk 
Assessment assessment (ISRA) 
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(ISRA) process and 
provide 
organizations with 
an awareness of 
the many risk 
assessment 
approaches 
available 

Private Finance Akintoye & 2005 Qualitative Security vulnerabilities Implementing a 

Initiative in the Chinyio research in Private Finance healthcare PFI 

healthcare sector: Initiative (PFI) research affects 

trends and risk risks analysis, 

assessment ultimate facility 
selection, or 
requirements 

A study of future Avani Rachh 2021 Quantitative Vulnerabilities related to | Develop security 

opportunities and and online transactions, procedures at all 

challenges in qualitative digital healthcare system | levels to secure 

digital healthcare analysis and information security | personal data and 

sector: cyber medical records, 

security vs. and increase 

Crimes in digital awareness of data 

healthcare sector security 

A Fuzzy Analytic Al-Mejibli & 2019 Quantitative A healthcare web Developing a 

Hierarchy Process Alharbei research application's security fuzzy analytic 

for Security Risk vulnerability hierarchy 

Assessment of process with the 

Web based purpose of 

Hospital increasing the 

Management usability and 

System security of a 
healthcare web 
application 

Risk Management Divan et al. 2018 Qualitative Hardware, Software Changing an ad- 

Framework and research failures, and other hoc network to one 

Evaluation: Detail vulnerabilities to with a server (or 

Site Study and medical system wireless router) as 

Governance of a backbone 

Information 

Security Risk 

Management in 

Medical 

Information 

Technology 

Infrastructure in 

Hospitals 

Global Health Kharaishvili 2020 Qualitative International health strategic planning 

Security Risk et al. research vulnerabilities for Biological 

Assessment in the Threat Reduction 

Biological Threat programs 

Reduction (BTRP) for health 

Program security 

Risk assessment in | Tabatabaei & 2016 A descriptive- | Technological, Implementing the 

social security Abbasi analytical biological, societal, necessary 

hospitals of cross- human-made, and standards to 

Isfahan Province sectional hydro-meteorological increase safety and 

in case of design threats reduce damages 

disasters based on 

the hospital safety 

index 
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Integrated Yaqoob et al. 2020 Quantitative Hiacking, threats Adopting 
Security, Safety, research regarding device Integrated Safety, 
and Privacy Risk software, hardware, and | Security, and 
Assessment batteries, as well as user | Privacy (ISSP) 
Framework for interface issues Risk Assessment 
Medical Devices Framework to 
evaluate the 
device's risk level 
and the security 
policies 
Role of Risk Boariu & 2020 Quantitative Risks related to work- Adopting 
Assessment in Armean research related illnesses and INCDPM, ELVIE 
Prevention of injuries among hospital | and SOBANE 
Work-Related employees approaches used to 
Accidents and analyse the 
Diseases in psychological and 
Hospital Staff other healthcare 
hazards 
A framework to Kaya et al. 2019 Mixed method | Healthcare risks and Implementing a 
support risk challenges with current risk assessment 
assessment risk assessment practice | framework, 
in hospitals in hospitals explanatory cards, 
and a risk 
evaluation form to 
assist organize the 
risk assessment 
Risk Analysis in Pascarella et 2021 Mixed method | Patient safety risks and Implementing risk 
Healthcare al. other healthcare matrix tool to 
Organizations: vulnerabilities identify the 
Methodological consequences level 
Framework and and risk rating 
Critical Variables 
mentioned according to each study. The findings 
The following Table 2 shows the revealed that cyber-attacks, medical device 
summary of different articles by evaluating hijacking, ransomware, and other criminal 
cybersecurity risks, including different addressed activities were the most often addressed 


threats and suggested mitigations for information 
security risks assessment programs in healthcare 
sectors. In addition, the methodology was also 


problems and concerns with medical information 
systems [15-22]. 


Table 2: Summary of different articles evaluating cybersecurity risks 


Title of article Author Publication | Methodology Addressed threats Suggested 
year mitigations 
IoT a security risk Salih et al. 2019 Qualitative Cyber-attacks, The formulation of 
management research medical device hijack | IoT Security Risk 
model for and ransomware in Management Model 
healthcare industry hospitals for Healthcare based 
on DEMATEL 
procedure 
Areview of cyber | Cherdantseva 2016 Quantitative Cyberattacks Implement SCADA 
security risk et al. research (Supervisory Control 
assessment and Data 
methods for Acquisition) 
SCADA systems technologies to 
ensure cyber security 
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Novel interval Jana & Ghosh 2018 Quantitative Cybersecurity Implementing a 
type-2 fuzzy logic research vulnerabilities and unique type-2 fuzzy 
controller for other criminal actions | logic inference 
improving risk system model for 
assessment model cybersecurity 
of cyber security evaluation 
improvements 
A Risk Poleto et al. 2021 Quantitative Cybersecurity risks Adopting risk 
Assessment research evaluation 
Framework frameworks 
Proposal Based on expected to enable 
Bow-Tie Analysis bow-tie assessment 
for Medical Image to recognize possible 
Diagnosis risks in information 
Sharing within security and act 
Telemedicine preventatively, 
detecting the causes 
A Cyber Security Millar 2016 Quantitative Cyber threats Improve significant 
Risk Assessment research reforms in national 
of Hospital health service (NHS) 
Infrastructure to elevate cyber 
including security to a top 
TLS/SSL and priority without 
other Threats affecting the NHS's 


long-standing 
commitment to 


medical safety 


A New Mahler et al. 2020 Quantitative Cybersecurity risks Implementing a 
Methodology for research threat identification, 
Information likelihood, severity 
Security Risk decomposition, and 
Assessment for risk integration 
Medical Devices technique (TLDR) 
and Its Evaluation based on ontologies 
for improving 
security 
Security risk Nurse et al. 2017 Qualitative Cybersecurity risks Adopting novel 
assessment in research approaches and best 
Internet of practices for risk 
Things systems analysis need to take 
into account the 
dynamic nature of 
the Internet of 
Things (loTs 
The following Table 3 shows the mentioned according to each study. The 


summary of different articles by evaluating the 
data privacy breaches 


vulnerabilities, 


and other 


security 
including different addressed 
threats and suggested mitigations for information 
security risks assessment programs in healthcare 
sectors. In addition, the methodology was also 


results showed that the most tackled issues and 
concerns with data privacy breaches and other 
security vulnerabilities in medical information 
systems was the HIPPA data breaches, external 
hackers, staff carelessness, or non-compliance 
with security standards and medical information 


leakage in the first place [30-39]. 
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Table 3: Summary of different articles evaluating the data privacy breaches and other security vulnerabilities 


Information 
security climate 
and 

the assessment of 
information 
security risk 
among healthcare 


Kessler et al. 


2020 Quantitative 


research 


HIPPA data breaches, 
external hackers, staff 
carelessness, or non- 
compliance with 
security standards and 
procedures 


Title of article Author Publication | Methodology Addressed threats Suggested 
year mitigations 

Creating a Schmeelk 2020 Qualitative Data breaches, Web Developing a 
Standardized Risk research application Standard Risk 
Assessment vulnerabilities Evaluation 
Framework Conceptual model 
Library for Libraries for 
Healthcare Hospital 
Information information 
Technology technology and 


risk assessment 


OO OOS sO hvhowhmmmReeeeoo process 


Information 
Security Climate 
Index (ISCI) for 
risk assessment 
and awareness 


employees es ee | 


Korea: Focused on 
Information 
Privacy Security 
in Hospitals 


Health Mehraeen et 2016 Quantitative Information security and | Administrative, 
Information al. research data protection issues technical, and 
Security in due to lack of physical 
Hospitals: the guidelines for resolving | safeguards for data 
Application of security concerns, and security. 
Security an absence of well- Implementing 
Safeguards documented policies security rules, 
network 
management 
strategies, and user 
training are 
suggested. 
Towards Chen & 2016 Qualitative Internal and external Integrate with the 
Autonomic Lambright research attacks on healthcare HL7 standard and 
Security information system the Autonomic 
Management of Security 
Healthcare Management 
Information (ASM) strategy for 
Systems attack mitigation 
A Cybersecurity Gioulekas et 2022 Quantitative A healthcare Information 
Culture Survey al. research information security security systems 
Targeting vulnerabilities and software (e.g., 
Healthcare Critical antivirus 
Infrastructures databases, UTM 
firewalls with 
IDS/IPS) should be 
upgraded 
Trends in Kim et al. 2018 Quantitative Medical information Regulations and 
Research on the research leakage and other government 
Security of medical accidents programs such as 
Medical HIPPA and others 
Information in recommended 
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Utilizing a privacy Makri et al. 2020 Quantitative Data privacy breaches Suggested a 
impact assessment research privacy impact 
method using assessment (PIA) 
metrics in the technique for 
healthcare sector determining 
security and 
privacy 
enforcement 
solutions 
Information Ayatollahi & 2017 Mixed- Threats to hospital Implementation of 
Security Risk Shagerdi method information and early-warning fire, 
Assessment in computer security, cooling, and smoke 
Hospitals physical/environmental detection systems 
threats 
A Markov-Based Das et al. 2019 Quantitative Information security Implementing 
Model for research breaches MISRAM is a best 
Information mitigation strategy 
Security Risk for Risk 
Assessment in Management of 
Healthcare Data Security in 
MANETs Hospital 
Security analysis Jiang et al. 2018 Quantitative Threat of exposing Implementing 3FA 
and improvement research sensitive medical scheme's 
of bio-hashing information to illegal compliance with 
based three factor entities both data 
authentication encryption privacy 
scheme for and secure 
telecare medical authentication 
information standards 
systems 
Security Risk Madhavi & 2018 Quantitative Risks of data breaches Implementing a 
Assessment in Lincke research associated with strategy to evaluate 
Electronic Health electronic Health the cybersecurity 
Record System Records (EHRs) risks to determine 
rates of 
cyberattack types 
and quantify SLE 
(Single Loss 
Expectancy) 


Figure 4 shows the addressed threats in 
literature related risk assessments in hospital 
information security system. The findings of the 
results show the hardware, software failures, and 
other vulnerabilities (15%), technical security 
threats, physical, management and _ other 
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administrative security threats (7%), data privacy 
breaches (7%), risks related to work-related 
injuries among hospital employees (7%), overall 
cybersecurity vulnerabilities and other criminal 
actions (25%), data privacy breaches and other 
security vulnerabilities (39%). 
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Addressed threats 


= Hardware, Software failures, and other 
vulnerabilities 


= Technical security threats, physical, 
management and other administrative 
security threats 


= Data privacy breaches 


= Risks related to work-related injuries 
among hospital employees 


= Cybersecurity vulnerabilities and other 
criminal actions 


= Data privacy breaches and other 
security vulnerabilities 


Figure 4: Addressed threats in literature 


Figure 5 shows the suggested mitigations in 
literature related risk assessments in hospital 
information security system. According to the 
findings of results, the suggested mitigations for 
a secure information security system in hospitals 
include implementing information security risk 
management program in hospital services (34%), 
implementing security rules (15%), data backup, 
temperature controls, and network services 
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policies (5%), developing multilingual content 
for systems, and flexibility of software modules 
(5%), provide awareness related risk assessment 
approaches (20%), suggested strategic planning 
for biological threat reduction programs (5%), 
improve significant reforms in national health 
service (NHS) to elevate cyber security (5%), 
recommendations of regulations and government 
programs such as HIPPA (10%) and others (1%). 
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Suggested mitigations 


= Implement information Security 
Risk Management program in 


hospital services 

= Implementing security rules 

= Data backup, temperature controls, 
and network services policies 

= Developing multilingual content for 
systems, and flexibility of software 
modules 

= Awareness related risk assessment 
approaches 

= Strategic planning for Biological 
Threat Reduction programs 

= Improve significant reforms in 
national health service (NHS) to 


elevate cyber security 

= Regulations and government 
programs such as HIPPA 
recommended 

= Others 


Figure 5: Suggested mitigations in literature 


design (69%), Quantitative-qualitative or hybrid 
Figure 6 shows the methodology used research (6%), Qualitative research design 
in literature. According to the findings of results, (22%). 
the literature involved Descriptive and cross- 
sectional research (3%), Quantitative research 
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Methodology 


= Descriptive and cross-sectional 
research 
= Quantitative research design 


= Quantitative-qualitative or hybrid 


= Qualitative research design 


Figure 6: Methodology used in literature 


5. CONCLUSION 


This study used a systematic evaluation of 
the literature to provide an in-depth examination of 
previous studies and research on Security Risk 
Assessment in Medical Information Systems. A 
wide range of Health Information Systems (HIS) 
risks was examined in more detail in this study on 
the complexities of threats to Medical Information 
System. A further contribution of this study is that 
it includes tables that explain the methodology, 
risks addressed, and possible mitigations for a 
number of studies, which increases the relevance of 
the research. In the literature, there were two 
prominent points of concern: the refusal of 
most hospitals to implement information security 
risk management and the lack of suitable, robust 
security and privacy (S&P) measures in the 
healthcare system. Patients' privacy and security 
would be affected as a result of this lack of security 
and privacy, which might even put their lives at 
risk. If these risks are not addressed soon, they have 
the potential to lead to a significant number of 
challenges with the security of healthcare 
information systems in the future. So the Ministry 
of Health should implement efficient techniques to 
improve the risks management of information 
security in healthcare organizations. The focus of 
this study is mostly on assessing medical 


information system security concerns and 
mitigating these risks via the efforts. Healthcare 
organizations may use the results of the research to 
enhance IT efficiency and patient data security. By 
highlighting the threats involved with information 
security, the study will encourage people to secure 
themselves. It covers the strategies that hospitals 
have implemented to strengthen their data security 
and patient identification techniques in order to 
better serve their patients. 
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